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About me 


Previous work: 


e CVE-2019-11098: Intel Boot Guard bypass through TOCTOU 
attack on the SPI bus (Co-discovered by @агѕ) 


Outline 


1. Introduction to the Management Engine Operating System 
2. The Management Engine as part of the boot process 
3. Possibilities for opening up development and security research on the ME 


Additional materials will be uploaded to https://pbx.sh/ in the days following the talk. 


About ME 


Minute IA 
System Agent 


OCS: 
SHA/HMAC 
RSA 


AES 
SKS 
DMA 
RC4 


e Full-featured embedded system within the PCH 
о 80486-derived core 

1.5MB SRAM 

128K mask ROM 

Hardware cryptographic engine 

Multiple sets of fuses. 

Bus bridges to PCH global fabric 

Access to host DRAM 

о Access to Ethernet, WLAN 


e Responsible for 


Lakemont 
CPU 


CSME 


Memory Space ° System bri ngup 
o Manageability 
m KVM 


o Security / DRM 
m Boot Guard 
m fTPM 
m Secure enclave 


About ME 


Only runs Intel signed firmware 
Sophisticated , custom OS 
Stored mostly in SPI flash 
Microkernel 
Higher level code largely from MINIX 
Custom filesystems 

o Custom binary format 
Configurable 

o Factory programmed fuses 

o Field programmable fuses 

o  SPIFlash 
Extensible 

o Native modules 

o JVM (DAL) 


Q o © © 


Scope of this talk 


Intel ME version 11, specifically looking at version 11.0.0.1205 
Platforms: 


e Sunrise Point (Core 6th, 7th generation SoC, Intel 100, 200 series chipset) 
e Lewisburg ( Intel C62x chipsets ) 


Disclaimer 


e laminno way affiliated with Intel Corporation. 

All information presented here was obtained from public 
documentation or by reverse engineering firmware extracted 
from hardware found "in the wild". 

e Because this presentation covers a very broad and scarcely 
documented subject | can not guarantee accuracy of the 
contents. 

e The goal of this talk is to introduce people to the subject and 
introduce new tools, as such parts of the background 
information have been discovered/published by other 
researchers. 


Working with ME firmware images 


e File format already extensively documented by Positive Technologies team (Mark 
Ermolov, Dmitry Sklyarov, Maxim Goryachy) 
o  https;//www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Ex 
plained-wp.pdf 
o  https;//www.troopers.de/downloads/troopers17/TR17 ME11 Static.pdf 
e Ready to use tools are available 
o  Unpacks code, metadata: 
= ptresearch/unME11: IntelME 11.x Firmware Images Unpacker 
° Unpacks code, metadata, config archives, config FS 


= platomav/MEAnalyzer: Intel Engine Firmware Analysis Tool 
o  Unpacks/Repacks config archives 


= peterbjornx/meimagetool: Image manipulation tools for the Management Engine firmware 
e Flash Image Tool contains XML descriptions of formats that can be retrieved using 
binwalk 
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Understanding the ME: Firmware Partitions 


NAME 


[FTPR] 
[ig mre | 
[DLMP] 
[PSVN] 
[IVBP] 
[MFS ] 
[МЕТР] 
[ROMB] 
[FLOG] 
[UTOK] 


[ISEC] 


START 


1100 


(еу (= > (2) (еу (3r © (еу 2» (2 (ел 
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IZE 


000 
000 
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TYPE 


Code 
Code 
Code 
Data 
Data 
Data 
Code 
Code 
Data 
Data 
Code 


FTPR/NFTP 
o Read only filesystem 
o Contains firmware code 
о  Mountedon /Біп 
m FTPRisrecovery/normal boot partition. 
= — NFTPbinaries not used during recovery. 


o  Read/write filesystem 
о Contains configuration data, state 
o  Initialized by Flash Image Tool 


FLOG -> Crash log 
UTOK -> Unlock Token 
ROMB -> ROM Bypass 


Understanding the ME: Code partitions 


00004000.FTPR 


& bup.met 


А bup.mod 
| | bup.txt 


& busdrv.met 


e Code Partitions contain modules 
о .mod files аге loadable data/code (extension added by unME11) 
° .met files are metadata (Converted by unME11 to .txt) 
e andthe partition manifest 
o Filename: <partition>.man 
o Same general format as the metadata files, but has header prepended. 


ІП busdrv. mod 
| | busdrv.txt 
B crypto.met 
Э erypto.mod 
_| crypto.txt 


В evtdisp.met 


ІҢ evtdisp.mod 
| | evtdisp.txt 
& fpf.met 

ІП fpf.mod 

5) РЕБ 

_ | FTPR.man 


Understanding the ME: Metadata 


e  Type-Length-Value store, entries are called extensions 
e  Converted to human readable form by unME11 
e Extensions: 

o Шаға module info 


о Code module info t ЕЕ Ва ed 
o  SharedLibrary info уре = 
o Process info Laue c tag; 
o MMIOranges uint32 © length; 
o Device file definitions } met ext t? 
о ..and more... 
See also: 


https://github.com/peterbjornx/meloader/blob/master/include/manifest.h 


Code verification chain 


Partition 
Manifest 


SHA256 


Intel Key hash | Signature 


| Metadata 
files 


ERRATUM (Added after talk): Intel Key hashes are in boot ROM, not fuses. Fuses only select which 
keys are actually trusted. 


files 


Analysing a simple module 


e The module file itself is a flat binary 
e Metadata contains memory space info 


o Base load address is easy to find, and usually does not vary across modules within a single 
firmware version 


loc 3246Е: 
duord ptr ds:: 
duord ptr ds: 
duord ptr ds: 


loc 3248С: 


near ptr ШЕШЕ Missing code section? 


2181 


36578h Es 
near ptr BENEB Missing code section? 


36578h 


Missing data section? 


ME shared libraries 


e Мо dynamic linker! 
e Jump vector table with fixed address entry points 
e Normal 5у5У i386 calling convention 


ME shared libraries 


e syslib.mod 
o Entry point addresses vary per firmware version 
o Contains 


m hosted libc 

ш libsrv 

m libheci 

m crypto library 
= 


e mask ROM 
o Entry point addresses fixed per chipset family (eg. SPT/LBG). 
о Base:0x0000_1000 
o Contains 
m freestanding libc 
m ММО 
m miscellaneous utility routines 


Analysing a simple module 


e The module file itself is a flat binary 
e Metadata contains memory space info 


o Base load address is easy to find, and usually does not vary across modules within a single 
firmware version 


loc 3246Е: 


duord ptr ds:3623 
duord ptr ds:36228 


loc 3248C: : 
= near ріг 0000 romlib_func_1000? 
218h 
36578h 
near ptr BENEB syslib: clear ctx 
36578h ши - 
Missing data section? 


00020000 entrupoint: 


0002D000 
00020001 
00020002 
00020003 
00020004 
00020009 
OO02DOOA 
O002DOOB 
000ZDOOB 
0O00ZDOOB 
00020000 
00020010 
00020014 
00020018 
90020010 
90020023 
90020025 
90020028 
ooo2pozn 
00020030 
90020032 
90020038 
00020038 
90020038 
00020038 
O002DO3E 
90021040 
00020041 
00020042 
00020043 
90020047 
00020049 
90020050 
00020055 
00020056 
00020058 
0002D05C 
0002D05C 


x 


eb 
eax 
ebx 


sub 


crtso_: 


loc_2D038: 


ebp, ebp 

eax, [esp] 

едх, [esp*41 

ecx, [езр+еах»4+8 1] 
ebx, 3621Ch 

ebx, 36220h 

short loc_2D038 
bl, 3 


short loc 2D038 
dword ptr [ebx], 53535353h 
short loc 21938 
ds:36218h, ebx 


ebx, ds:36218h 
lebx], ecx 

ecx 

edx 

eax 

ax 

al, 4 

byte ptr ds:36224h 
sub_2D371 

eax 


near ptr Ш 


ME module entrypoint 


crtso: 


MINIX 3 crtso 

xor ebp, ebp 

mov eax, (esp) 

lea edx, 4(esp) 

lea ecx, 8(еѕр) (еахж4 ) 
mov ebx, _environ 

cmp ebx, __edata 

jae of 

testb bl, 3 

jnz of 

cmp (ebx), 0x53535353 
jne of 

mov (__penviron), ebx 


mov ebx, (__penviron) 
mov (ebx), ecx 

push ecx 

push edx 

push eax 

SMSW ax 


testb al, 0x4 


setz (__fpu_present) 
call _main 

push eax 

call _exit 


LAM 9 ] 


LANE NJ 


clear for bac 
argc 
argu 
enup 


within initia 
aligned? 
is it our еп 


_penviron = & 


* penviron = 
push envp 


push argv 
push argc 


EM bit in MSW 
True if not s 
mainlargc, ar 
push exit sta 


Data sections 


00032428 sub_32428 proc near 
00032428 push ebp 
TTE : 00032429 mov edx, offset dword_33000 
e  lnitialized data is appended to 0003242E шы iR. сай 
.rodata 00032430 mov eax, 36200h 
IG 00032435 
e PERTE crtso es QE it is 00032435 1ос 32435: 
copied over to “.bss’ 00032435 cmp eax, 36220h 
е Addresses can be inferred from НЫ E SNORT Mug daas 
0003243C inc eax 
code or metadata. 0003243D mov cl, [edx] 


0003243F inc edx 


00032440 mov [еах-1], cl 

00032443 jmp short loc_32435 
DOO JA TIN. doveri EU EIE I Impe EL 
00032445 

00032445 1ос 32445: 

00032445 ebp 

00032446 

00032446 sub_32428 


Data sections 


e Processes use flat 32-bit memory model 
Base address and various area sizes are stored in 
metadata. 

e System library state resides in program-specified 
area. 


For a minimal working implementation of this, see: 


GitHub meloader repo: user/loader/map.c 


context_size 


bss_size 


default heap size 


threads[0].stack size 


4 kB 


threads[n].stack size 


4 kB 


uncomp size - text size 


text size 


Syslib context 


pre-allocated heap 


thread 0 stack 


thread 0 stack guard 


thread n stack 


.rodata 


.text 


Syslib 


rom library 


thread n stack guard 


priv code base address 


0000 9000 


0000 1000 


0000 0000 


Familiar APIs 


ME provides many familiar POSIX APIs: 


e  libc: 
o  read(,write(), close(), open(), fcntl(), ioctl(), select() 
chdir(), stat(), 
o nearly everything in string.h 
o  exit() 
o  malloc(), free(), calloc() 


e  pthreads 
o pthread create() ... 
o  pthread_mutex {lock,unlock} 


о 


Example driver main() function 


DOCS = cookie value; 
memset (&funcs, 0, 40); 


runes var IC = suo 00027 
syen init (VIE 


Svene fol = open (QUA oen Senere. 


funcs.open - VdmDrvOpenCallback; libsrv callbacks 


funcs.select = VdmDrvSelectCallback; 


ін ( SI init(eg ery cts, te Q, 5) у 2 libsrv init 


syen са а о о О 02 20022) 
goto LABEL 7; 


} 


return, gry аек | Se Save) 


Trace output: SVEN 


e Intel Software Visible Event Nexus 
Trace print format strings are replaced by message IDs 
o These are reasonably stable for given platform/major version. 
e Output goes to Trace Hub 


o Can be read back from host using memory trace 
o Can be read over debug interface EVEN WITHOUT UNLOCK 


e Intel System Studio used to contain decoder and dictionary 
o GREEN dictionary is not very useful, only has a handful of messages 
o System Studio 2018 beta had a nearly complete one for LBG 


0616 sven ОО (ine level, int UGLE sso ) 0 
yoid sven printi CONSE Char SEME, oo. ) 6 

OLE sven printi J ( int level, Const Char Tue, 
void Seng pase imt шоо 


ME driver overview: device files 


e (Лпіх-сіуіе special files under /dev 
o Опе major number per module 
Major, minor numbers and names specified in metadata 


O 
o Drivers implement read(), write(), open(), close(), ioctl() for device files 
о Not just for device drivers, used for all high-level services. 


e syslib contains convenient framework for implementing this 
o Implementation details hidden, just provide callbacks 


EET Se CE а оо ea moore er ONIS 
їз сш access Mode: 0660, user Lc 0x0074 group 1e 0x0037 minor unbe 90 
28 vém pavo access моче: 060, user ic: 0x00 7/4) group ао 08 minor mumber 0i 
33 vom rosm access mode: 0660, user таттан та growp ics ОО ВЕ minor number 1/2 


ME driver overview: libsrv 


Framework for drivers, allows driver to only implement simple callbacks. 


e open(),close() implementations return their status, 
e read()write(),ioctl() call a reply function with their result data and status. 
e  libsrv also allows handling hardware interrupts and power state changes. 


typedef int ee Pen OU int ie, int grid, int сасе атола *par) 
typedef int (*open ев “ert, int minor, int gric, int саа void ою 
typedef int (“elose cb) ( ne) 


int Sry task( | 
int Sry Init ЕВ © “CTX, inct major, о t “6068, 
srycli t *elients, int maxclients | 
int sry 66610. reply( servet t “ertz, int fe, int gric, int ?, int status, void > 


) 


(OxDF, 
(OxDF, 
(OxDF, 


{ OxDF , 
(OxDF, 
( e DF, 


Accessing hardware 


88, OxF80); 

92, OXxFED40080 ) ; 
56; Ө); 

100, OxF80) : 
104, OxFED40080) 
108, ©); 


Ext#8 MmioRanges[41]: 


СЕ base:F0020000, size:00006000, Elags: 00000003 RAVDM 


D7 
DE 


base:F5050000, 
base:F0090000, 


size: 00010000, 
size: 00006000, 


т 1а@@ 800000005 ICC CONTROLLER 
£ Las 00000003 FIEM 


Accessing hardware 


e  MMIOs are accessed through ROM library functions 
e The MMIO ranges are defined in the manifest 
O mmio = (mmio List inces о | 7 


о Seem familiar to anyone? 


Ext#8 MmioRanges[41]: 


CF базе: FOOA0000, size: 00006000, Elags: 00000003 RAVDM 
DJ base: PSUS U000 size:00010000, Е Вее 00000002 ICC CONTROLLER 
РЕ base: FO090000, 5172090006000, tlags: 00000003 ЕТРМ 


Accessing hardware 


@  MMIOs are accessed through ROM library functions 
e Тһе MMIO ranges are defined in the manifest 
O mü ca = (mmio list index * ©) | 7 


o Seem familiar to anyone? 


| 321 9 
TT ET 


ЕРІ. = Requested privilege level where 00 is the highest 
and 11 is the lowest 


TI 26 Global descriptor table 
ТІ = 1 Local descriptor table 

= Selects one descriptor from 8,192 descriptors іп 
either the global or local desenptor table 


Accessing hardware 


(OxDF, ВВ, @xF8%); 
(OxDF, 92, OxFED40080); 
(OxDF, 96, 0): 


(OxDF, 100, OxFBO): 
(OxDF, 104, OxFED40080) 
(OkDF, 108, ©); 


void wrice SEG 2 (1с Шо, int ОЕ. апае) 

void write seg Іс ІШЕ О ЕОС сез short yalue) ,; 

void write seg © (int mmio, int offset, Char value), 

ine read seg 32 (int mmio, int OFFSET); 

ine reac seg 16 (int mmio, int Offset), 

ine reac seg è (int mmio, int ОЕ) > 

void were Seg (ine mmio, ШПЕ OLESSE, CONSE void buffer LNE 


COUMIE.) 8 


The levels below the POSIX-like environment 


e  Kernelimplements IPC primitives and MMIO access 

Message passing 

Memory grants 

DMA buffers 

MMIO mappings 
[e Memory protection 

e  VFS/Process Manager server implement POSIX calls 
o Accessed through kernel IPC 

e Drivers and high level servers implement device files 


о 9 © © 


Message Passing: Basics 


Used to implement server-based “syscalls” and other low level IPC 
Not often directly used by modules 

Mostly MINIX derived 

Fixed message header structure, variable body. 


LALE 


Lipe sendrec( int who, syscall mesg “meg ) 
Sends a message, and immediately does a blocking receive 
Used for server calls 

Ipe send! ( int who, syscall msg “msg ) 
Sends a message, blocks until it is received 

11968 norcity ( int whao | 

Asynchronously sends a notify event to a process 


Memory Grants 


Also MINIX derived(safecopies), relatively new feature in MINIX. 
Dynamic resource and memory access control 
Allows a process to register a global name for a memory buffer ог MMIO range 
Referenced as ( gtid, id ) pair 
о Memory grant ID is not global, but always combined with the GTID of the owner process 
Granted to a single process. 
Either refers to 
о  Granter memory space 
m (pointer, size) 
° MMIO resource: 
m (MMIO,offset, size ) 


Memory Grants 


e Grantee operations: 
o тв сорую (МС, offset, data,size ) 
о mg copyfrom( MG, offset, data,size ) 


e Owner operations: 
о mg getbuf(MG) 
o те revoke(mg) 
о mg create( MMIO/memory, grantee GTID ) 


Memory Grants: Indirect Grants 


Refer not to memory but to a grant given to the owner. 
Allow grantee to further delegate grants 


Permissions are the intersecti 


on of those in the chain 


ProcessA Process B Process B 
No grants Grant 1 Grant 1 
Grant 2 Grant 2 
Grant 3 Mem: (ptr,sz) 
Ind: (C,2) То: В 
То: А P РАТ 
БЕЛЕ 
Grantee = A 4 


copyto((C.2)....) 
W£ 
copyto((B.2)....) 


copyfrom((B,2),...) 


P(B,2) | 


— 


ME optimizations to MINIX IPC: 105 


Direct IPC between process and drivers is impossible in MINIX 
ME OS has a solution: kernel is aware of fd’s 

Memory can be granted to fd’s owners 

Messages targeted to GTIDO go to fd driver. 


Е ов pic, int то)» 
wote л© Open (int 10, int 6 gric, int э fel, 
int б Gtic, int € fC, int minor, imt sel, ine flags); 


ME optimizations to MINIX IPC: 
select receive() 


e  select() was moved into kernel and combined with ipc receive() as 


int select receive ( 
ine ALOS, 
ne “reacties, 
Bele О Meme, 
need) exceprrds, 
Бета ames 
ine trom gric, 
syscall meg “msg out, 
int “have mso ) ° 


void ОО int f, mmn omi c sU 


DMA Locks 


e Processes can request MGs to be locked in memory for DMA 
e Separate in (device->ram) and out (ram->device) mappings 


int ӘУЕ mem cma kee ka 
short out tid, Char out flags, int out mg, int OUE oe, 
short im tid, char in flags, int in mg, int о зев 
mess ze 
ТОШЕ ео t “out padar, 
ЈА ане uint32 t * in padde, 
Oe inete 7al ane) 8 


int sys mem cma unlock ime al mne ) 8 


ME Hardware N 


Understanding the address space 


e  MMIO metadata refers to physical addresses, but HW is nonstandard and configurable 
e However... 


ОЕ hyusdrv mode > 


НЕСТ1 РСІРЕ IBDF 

HECI2 PCIPF IBDF 

FTPM PCIPF IBDF 

SECURE ENCLAVE PCIPF IBDF 
RAVDM PCIPF IBDF 

ATT PCIPF IBDF 

GEN PCIPF IBDF 

GPIO PROXY PCIPF IBDF 
KERNEL TIMER PCIPF IBDF 


The bus driver: busdrv 


Power gating 

PCI configuration space access 
Sideband bus access 

Physical resource mapping (BARs, ATTs) 


Old SPT builds have lots of debug strings 
Holds table containing system address and bus map 


The table in human readable form 


Name Type CFG Bus Dev Func SAl 
base 


HECI1_PCIPF_IBDF PRIM_PCIFIXED | F1000000 
HECI2_PCIPF_IBDF PRIM_PCIFIXED | F1001000 
FTPM_PCIPF_IBDF PRIM_PCIFIXED | F1002000 
SECURE ENCLAVE PCIPF IBDF PRIM PCIFIXED Е1003000 
RAVDM_PCIPF_IBDF PRIM_PCIFIXED | F1004000 
ATT_PCIPF_IBDF PRIM_PCIFIXED | F1005000 
GEN_PCIPF_IBDF PRIM_PCIFIXED | F1006000 
GPIO_PROXY_PCIPF_IBDF PRIM_PCIFIXED F1007000 
KERNEL_TIMER_PCIPF_IBDF PRIM_PCIFIXED | F1008000 
APP_TIMER_PCIPF_IBDF PRIM_PCIFIXED | F1009000 
IPC_PCIPF_IBDF PRIM_PCIFIXED | F100A000 
HECI3_PCIPF_IBDF PRIM_PCIFIXED | F1008000 


@ | 62 | @ | - | 62 | О | О | o 


2 
3 
4 
5 
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7 
8 
9 
0 


~ 
мэ | $$$ $ о о о оо 


à 
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ROM 
ROM 


Name 
MINUTE_IA_SA_IBDF 
CRYPTO_ENGINE_IBDF 
KVM_PCIP_IBDF 
USBRO_PCIP_IBDF 
USBR1_PCIP_IBDF 
SMTO_PCIP_IBDF 
SMT1_PCIP_IBDF 
SMT2_PCIP_IBDF 
SMT3_PCIP_IBDF 
SMT4_PCIP_IBDF 
SMT5_PCIP_IBDF 
CLINK_PCIP_IBDF 
SST_PCIP_IBDF 
PTIO_IDER_PCIP_IBDF 
PTIO_KT_PCIP_IBDF 
PMT_PCIP_IBDF 
HDAU_PCIP_IBDF 
SPI_PCIP_IBDF 
ESPI_PCIP_IBDF 
PMC_PCIP_IBDF 
GBE_PCIP_IBDF 
WLAN_PCIP_IBDF 


Type 

ROM Early Init 
ROM Init 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 
PRIM_PCIP 


CFGbase Bus Dev Func SAl 


E0000000 
E0008000 
E0040000 
E0048000 
E0049000 
E0050000 
E0051000 
E0052000 
E0053000 
E0054000 
E0055000 
E0058000 
E0060000 
E0068000 
E0069000 
E0070000 
E00C0000 
E00C8000 
E00C9000 
E00D0000 
E00D8000 
E0100000 


0 


2000000100 000 00000000 


am 


0 


0 


оу = 


= о о» o 


ооо 


SKU flags 


Other information sources on HW 


e My ME emulator: 

о https://github.com/peterbjornx/meloader 
e Various files in old Intel System Studio versions 

о © See Intel VISA: Through the Rabbit Hole (Goryachy, Ermolov) for info on extracting 

o  https://github.com/peterbjornx/iss tools Tools for parsing some of the XML config 
e Innovation Engine firmware by НР 

Pentium N and J Series Datasheets 
о Intel® Pentium® and Celeron® Processor М and J Series: Datasheet З 


Platform Primary Fabric 


From Host CPU, 
eSPI,SPI, PMC 


To Physical 


To eSPI, SPL 
PMC, DDR 


USBPorts 
IE Internal Primary Fabric 


USB-R 


|| = 


PECI U т 


To/From DRNG ME(IPC) and”: 


other devices and registers 


r 
SMT | : 
(9) |: 


E = 
E 
Offload and Crypto 


ME Root Space 
IE Root Space 


IE Internal Ри mar y Fabric 


Buses 


W— —- Primary 
doen Side Band 


e—— —  DFx 


EL — External 


*IE Gasket has implied bridges 


Source: Intel VISA: Through the Rabbit Hole (Ermolov, Goryachy at BlackHat Asia 2019) 
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Primary Memory Space (64-bit) 
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55| [56] |57) |58) |59) 
ма СР] гасе) ГАН ТН 


H Minute IA Lakemont 
System Agent CPU 


53| [54 
БСС] [Ex] ТЕН) 


so| [si 
үнс BTG) 


50! 2 54 
Ум | БАТАЗ SATA3| БАТАЗ SATA3 
B VR vso VS1 || VS2 
Клос) 
TH 


[NO | Р5Е5С5МЕ 50! 


Ns] № [81 


[PTIO 


Primary Memory Space (64-bit) 


P2SB| 


56 57 | 58| |59 


55 
БМВизј|| РС] fam) [P STH] 


i І 
І І 


Lakemont 
ATT 
i i 
ATT 
Pri | | 
SEE | 
IPC 
Memory Space 


(32 Bit) 


Processor 


e  Lakemont microarchitecture 
о “Minute IA” 
o 486 derived 
o Same as Quark MCUs 
o  Run-Control documentation is public 
o Supported by OpenOCD 
e Modern ISA extensions 
о MSRs 
о CPUID 
e Only MSI interrupts used 


Ф mIA486 
b Ф minuteia_apic 
v 4 pås 
v Ф xmod 
P 4 bunit 


v Ф sips 

Æ sip( 31 downto 0) 
v Ф slea 

79 sbsy 


Custom host bridge: 
Minute IA System Agent 


e Similar to some Quark devices 
e Partial documentation available: SRAM! КОМ 
о Intel® Pentium® апа Celeron® Processor М and J Series: 


Datasheet 3 
e |O address space seems to be unused! 


Minute IA Lakemont 
System Agent CPU 


e Implements 

SRAM / ROM controller 

IOMMU for fabric->memory requests 
PCI configuration space access 

Bus firewall 

and more 


о (6) © © © 


Hardware Cryptographic Accelerator 


e Referred to in various places as OCS Base Name DMA 
e Hardware implementations of +8000 AES 

9 Ea +A000 AES 

о SHA256 RR 

о 5НА256 HMAC +8000 Hash 

o  AES(2cores) +C000 ? (RCA in IE) 

o RSA 

o RC4 +D000 ? (GP in IE) 
e Multiple DMA engines +E000 RSA 


e Secure Key Storage +F000 SKS 


Xx | > | X| | > 


Hardware Cryptographic Accelerator 
IP blocks (partial) 


OcP 
Fabric 


pr 
initiator 


aes top input | putput 
SE buffer| |buffer 
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hcu_top input | putput rc4 top input | putput aes_top input | putputi 
== buffer} {buffer = uffer| buffer. buffer| |buffer 
Ge) 


hcudma 


multi_dma 


Crypto: DMA Engines 


e  Atoffset 400h in НСО sub devices 
e Used for general purpose DMA 
e Src/Dst = О targets internal buffer id name Description 
+400 ӘКС ADDR Source address of the DMA transfer 


+404 | DST ADDR Destination address of the DMA transfer 
+408 | SRC SIZE Size of the source buffer 

+40C | DST SIZE Size of the destination buffer 

+410 CONTROL Transfer control bits 

+428 STATUS Status of the DMA engine 
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Host-Embedded Controller Interface (HECI) 


e Misleading name 
° also known as Management Engine Interface (MEI) 
e Command interface between Host and ME 
e Firmware Status Registers 
о Written by ME 
Read by host. 
See https://github.com/peterbjornx/meloader/tree/master/periph/gasket/heci 


and intel/skylake: Display ME firmware status before os boot (la511c4f3) · Gerrit Code Review 
and the MEINFO tool in the vendor package. 


о © © © 


Primary Address Translation Table 


e Maps ME memory cycles onto primary fabric 
e Used for both ME and host root spaces 
e Not fully understood yet, config is pretty much hardcoded: 


Slot | ME Address | Size | Primary address | Control | Descriptions 
02000000 | 2000000 | 00000000 1520000909 | 12040007 | ME peripherals 
1 | F4600000 | 200000 | 00000000 74600000 | 12040007 | ME peripherals 
2 | р0000000 | 4000000 | 00000000 00000000 | 080E0003 | UMA 
39727000000 | 800000 | 00000000 17000000 | 12040007 | 1гасенар 
4 | ВС000000 | 2000000 | 00000000 00000000 | 01040003 | Hest DRAMI 
5 | C0000000 | 2000000 | 00000000 00000000 | 03440003 
6 | C4000000 | 2000000 | 00000000 00000000 | 03440003 
7 | C8000000 | 2000000 | 00000000 У (010.010 | 12040003 
8 | СА000000 | 2000000 | 00000000 00000000 | 05040005 
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Root spaces 


e Some peripherals expose different PCI functions to different hosts 


e Example: SPI controller, documented at: 
о Intel® Pentium® and Celeron® Processor Мапа Ј Series: Datasheet 3 


Sideband Fabric 


Packet switched network 
Endpoint IDs instead of PCI BDF 
Accessible from both ME and host 
PCI-like opcodes: 
o Register R/W 
o Configuration R/W 
о Memory R/W 
Addressed by: 
о (Opcode, Endpoint, Root Space, Function Number, BAR number) 
Security model based around SAI numbers 
Spec partially public as patent application US 2013 0138858 A1 


Sideband Address Translation Table 


Maps sideband devices as memory space 


name 
INT_BA 

INT_SIZE 
CONTROL 
unknown 

unknown 
SB_ADDRESS 
SB ADDRESS НІ 


end 


name 
endpoint 
read op 
write op 


bar 


name 
function 


rootspace 


Description 

The sideband endpoint number 
The read opcode to use 

The write opcode to use 


The base address register index 


Description 


The function ID being addressed 


The root space 


BROADCAST1 = OxFF, 
BROADCAST2 = OxFE, 
DMI = OxEF, 

ESPISPI = OxEE, 

ICLK = OxED, 
MODPHY4 = OxEB, 
MODPHYS = 0x10, 
MODPHY1 = OxE9, 
PMC = 0xE8, 

XHCI = OxE6, 

ОТС = OxE5, 

SPE = OxE4, 

SPD = OxE3, 

SPC = OxE2, 

SPB = OxE1, 

SPA = ОХЕО, 

UPSX8 = 0x06, 
UPSX16 = 0x07, 
TAP2IOSFSB1 = OxDF, 
TRSB = OxDD, 

ICC = OxDC, 

GBE = OxDB, 

SATA = OxD9, 

SSATA = OxOF, 

LDO = 0x14, 


Some sideband addresses for LBG/SPT 


LDO = 0x14, 
DSP = 0xD7, 

FUSE = OxD5, 
FSPROXO = OxD4, 
DRNG = OxD2, 
FIA = OxCF, 
FIAWM26 = 0x13, 
USB2 = OxCA, 

LPC = OxC7, 

SMB = 0xC6, 

Р2$ = OxC5, 

ITSS = OxC4, 

RTC = 0xC3, 

PSF5 = Ox8F, 

PSF6 = 0x70, 
PSF7 = 0x01, 
PSF8 = 0x29, 
PSF9 = 0x21, 
PSF10 = 0x36, 
PSF4 = OxBD, 
PSF3 = OxBC, 
PSF2 = OxBB, 
PSF1 = OxBA, 
HOTHARM = 0xB9, 
DCI = OxB8, 
DFXAGG = 0xB7, 


NPK = 0xB6, 
ММРО = 0xBO, 
GPIOCOMO = OxAF, 
GPIOCOM1 = OxAE, 
GPIOCOM2 = OxAD, 
GPIOCOM3 = OxAC, 
GPIOCOM4 = OxAB, 
GPIOCOMS = 0x11, 
MODPHY2 = 0xA9, 
MODPHY3 = OxA8, 
PNCRC = OxA5, 

PNCRB = OxA4, 

PNCRA = 0xA3, 

PNCRO = OxA2, 

CSME15 = Ox9F, //SMS2 
CSME14 = Ox9E, //SMS1 
CSME13 = Ox9D, //PMT 
CSME12 = 0x9C, //PTIO 
CSME11 = 0x9B, //PECI 
С5МЕ9 = 0x99, //SMT6 
CSMES = 0x98, //5МТ5 
CSME7 = 0x97, //SMT4 
С5МЕ6 = 0x96, //SMT3 
CSMES = 0x95, //SMT2 
CSME4 = 0x94, //SMT1 


CSME3 = 0x93, //FSC 
CSME2 = 0x92, //USB-RSAI 
CSMEO = 0x90, //CSE 
CSME_PSF = Ox8F, //MEPSF 
CSMERTC = Ox8E, 
IEUART = 0x80, 
1ЕНОТНАМ = Ox7F, 
IEPMT = Ox7E, 
IESSTPECI = 0x7D, 
IEFSC = Ox7C, 

IESMTS = 0x7B, 
IESMTA = Ox7A, 
IESMT3 - 0x79, 
IESMT2 - 0x78, 
IESMT1 = 0x77, 
IESMTO = 0x76, 
IEUSBR = 0x74, 
IEPTIO = 0x73, 
IEIOSFGASKET = 0x72, 
IEPSF - 0x70, 

FPK = OxOA, 

MPOKR = 0x3C, 
MP1KR = Ox3E, 
RUAUX = OxOB, 


RUMAIN = 0Х38, 
ЕС = 0x20, 

CPM2 = 0x38, 
CPM1 = 0x37, 
СРМО = 0x0C, 
VSPTHERM = 0x25, 
VSPP2SB = 0x24, 
VSPFPK = 0x22, 
VSPCPM2 = 0x35, 
VSPCPM1 = 0x34, 
VSPCPMO = 0x33, 
MSMROM = 0x08, 
PSTH = 0x89 


Source: Intel VISA: Through the Rabbit Hole (Ermolov, Goryachy at BlackHat Asia 2019) 


Dynamic analysis N 


ME JTAG How-To 


Arbitrary code execution in the BUP module (CVE-2017-5705,6,7) 
Activation of RED UNLOCK without Intel keys 
JTAG access to ME core 


Full control over the target 


ME is no longer a "black box" 


Slide from Inside Intel Management Engine (Ermolov, Goryachy at 34C3) 


Developing an exploit for CVE-2017-5705,6,7 


Determine stack location 

Craft payload to turn stack variable overflow into arbitrary write 
Determine return pointer address 

Find ROP gadgets 

Turn on debug access / chainload custom firmware 


meloader: 
WINE for the ME 


` 


е Runsunmodified ME usermode binaries under Linux 
e Built to run Бир, not to be an accurate emulation of HW 


https://github.com/peterbjornx/meloader 


Features: 
e МЕ binary loader 
Hooks for syslib, romlib 
Syscall stubs 
MMIO peripheral emulation 
Bus emulation 
MMIO passthrough to external programs 
Configurable hardware configuration and initial state 
SVEN decoder 


meloader as a debugger 


e Get meloader to run bup to the vulnerable part of its code 


Peter Bosch @peterbjornx - Apr 21 v 
I've gotten my ME loader to the point where it will load the Trace Hub 
config file, which means that I can now easily debug an SA-00086 exploit 


and hopefully get JTAG on a real ME other than the TXT targetted by the 
PT proof of concept 


Q 1 t Q 4 (Т, ll 


e Develop exploit against bup running in meloader 


e Forget to add --one-file-systemtorm command and lose homedir 


kakaroto commented on Aug 20 +&) 


Good news, | finally got it! 

Unfortunately there wasn't a way to scan or probe for devices so | had to generate an xml with all 
possible device paths in the jtag chain and clear out those with an invalid idcode then did an irdrscan 
0x2 on valid TAP devices until | found the processor id of the LMT device. 

In the end, it works :) 

Thanks for all the help | got from here! 
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Umiw)**- me жир batp mellopy 109 143 Python 211096 


After I'm done with the rest of my ROPs to get the main CPU booting, I'll release everything with a blog 
post on the whole process, in the meantime, you get to see the important offsets in that screenshot for 


those who need them :) 


kakaroto: 


ЖҰМ Peter Bosch @peterbjornx · Sep 1 
( Haven't yet pushed everything Гог this yet, but here's my ME emulator 
booting BUP to the point where it does the unlock logic, EXI logic and 
tracehub config (/home/bup/ct ). 


sven: 005600008086000200000002 

cse sa: Bus error while reading from primary bub} addr 50081050 size 
sven: CSE zeroing register 00000000 
sven: DFX consent register 66666000 
sven: DFX personality register 00000000 
sven: DFX status register (low dword) 00000000 
sven: DFX status register (high dword) 00000000 
sven: DFX PUID register (low dword) 78ABCDEF 
sven: DFX PUID register (high dword) 00123456 
libc: syscall( 25, 12, 0x0005CE78) wrong size 
libc: syscall( 25, 12, 0x0005CE78) wrong size 
sven: "No secure token present" 


sven: “[НЕСТ1 CSE GS1] write data = 0x1000000, mask data = OxF000000." 
exi: Read emecc register: 00000000 

exi: Write emecc register: 00000000 (ExI disabled) 

exi: Read emecc register: 00000000 

exi: Read ectrl register: 00000100 

dfxagg: Write consent register: 00000001 


[ERROR] ртс: Write to unimplemented register 00000218 size 4 
[DEBUG] thub: Read SCRPDO: 0x01000000 
ERROR] cse sa: Bus error while reading from primary bus addr F0080018 size 


Peter Bosch @peterbjornx - Sep 1 ~ 
Finally got around to re-implementing and testing an exploit for the МЕ 


buffer overflow while parsing /home/bup/ct. Haven't tested against real 
HW yet, but it works in the emulator: Enabling DCI followed by RED unlock. 
The code path | used is the arb. write via mg_copyto. 


https://github.com/peterbjornx/me sa86 exploit 


Getting JTAG access 


BSSB Hosting DCI: 
For lower power (Sx- 
m State) & SO-State 
DFx access 


d 


USB3 Hosting DCI: 


For S0-State DFx access and 


high performance operations 


Expensive: € 456,30 


System boot process N 


ME Boot Process 


e Microkernel bootstrap problem: the Бир module 
o ` Наб integrated versions of server functionality. 
o Had very high privileges up to ME 12 
o Is responsible for starting host CPU. 
o Starts all servers 


Image credit: “Intel ME: The Way of the Static Analysis.” Ermolov, Goryachy, Sklyarov (2017) 


< Host Boot Process 


Reset 


Microcode Vector 


` Host Boot Process: Boot Guard 


Boot Guard Reset 
Vector 


Host CPU ACM 


Host Boot Process 


E Boot Guard Reset 
nies | ACM Vector 


Deassert 
CPU RST 


The Power Management Controller 


8051 based MCU 

Runs CMX RTOS “Copyright (c) CMX Co. 1999. All Rights Reserved” 
On SPT, Firmware in ROM but patches written from CSME 

On LBG, Firmware loaded from CSME 

Presents register based interface to the CSME 

Controls power gating and reset of IP blocks and CPU 


Host Initialization: ME tasks 


Boot guard configuration load 
Clock controller setup 

PMC CPU power ungate 

PSF Fabric configuration 
CPU out ofreset 
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Getting to the minimal viable 
implementation 


PE 


r 


Linux Binary 
ME Binary 
Python Script 
HW block 


Linux 32-bit x86 process 


RER 


socket 


ОрепіРС 


DEMO: meloader boots real HW N 
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Boot Guard Configuration 


Upload 
BG disabled to 
Secure Enclave 


Upload 
Valid? BG profile to 
Secure Enclave 


Boot Guard Configuration 


CPU CSME 


Profile in MSRs 

ACM verifies 

Result to MMIO device 
Result to MSRs 


e Profile in Secure Enclave device 
e Respond to status of Secure Enclave 
e Shutdown timer in software 


Boot Guard Configuration 
Minimal viable implementation 


#00000001 : enum BOOTPOLRES, mappedto 191, bitfield Я Secure Enclave Registers 


200000001 SB FBGAcmEn = 1 ENC UNKOO =0xF0033000 
00000002 SB CpuDebugEn =2 ENC_BOOTPOL  =0xF0099010 
200000004 SB BspInitEn = 4 ENC SUNKMID | - «070556053 
500000008 SB ProtectBiosEn = 8 ENC_PUBKEY  =0xF0099049 
500000001 ; enum BOOTPOLTYPE, mappedto 192, bitfield 
#00000001 SB MeasuredBootEn = 1 
#700000002 SB UerifiedBootEn = Z 
def enclaue init(huif): 
hwif .memory_write( ENC BOOTPOL » 1, 0x00040100 ) я bootpoltype . bootpolres 
hwif memory write( ЕМС SUNKMID ‚ 4, 0x00000000 ) m kmid . sun bsmm . sun acm km 
hwif .memory write( ЕМС PUBKEY+0x00, 4, 0x00000000 ) m public key һа5һ1Ө1 
huif .memory_write( ЕМС PUBKEY+0x04, 4, 0x00000000 ) m public key hashl1] 
hwif .memory_write( ENC_PUBKEY+0x06, 4, 0x00000000 ) m public key hashl2] 
hwif .memory_write( ЕМС PUBKEY+0x0C, 4, 0x00000000 ) m public key hash[31 
hwif .memory write( ЕМС PUBKEY*Ox10, 4, 0x00000000 ) g public key hashl41 
hwif .memory_write( ЕМС PUBKEY+0x14, 4, 0x00000000 ) m public key hashl51 
hwif.memory write( ЕМС PUBKEY+0x18, 4, 0x00000000 ) # public key hashl61 
hwif .memory_write( ЕМС PUBKEY*Ox1!C, 4, 0x00000000 ) m public key hashI?] 
hwif .memory write( ЕМС UNKOO ‚ 4, 0x00000040 ) g constant? 


Boot Guard Configuration 
Minimal viable implementation 


e Also opens up host-side firmware replacement for machines with Boot Guard enabled 


def enclave_init(huif): 
hwif .memory_write( ENC BOOTPOL 


# bootpoltype . bootpolres 


hwif .memory write( ENC_SUNKMID А п kmid . sun_bsmm . sun аст Кт 
hwif .memory write( ЕМС PUBKEY:+0:00, п public key һазһ101 
hwif .memory write( ЕМС РИВКЕҮ 04, и public key hashl1] 
hwif .memory write( ЕМС РИВКЕҮ 0, key hashl2] 
hwif .memory write( ЕМС РИВКЕҮ СС, key hash[31 
hwif .memory write( ЕМС PUBKEY* Q 10, ic key һазһ141 
hwif .memory write( ЕМС PUBKEY* 14, ic key hash151 
hwif .memory write( ЕМС PUBKEY* 7, ic key hashl6] 
hwif .memory write( ЕМС РИВКЕҮ іс, ic key hash171 


hwif .memory_write ( ENC_UNKOO , : 


Future goals 


Escalate to Ring O 
o Either through “modchip” on debugger interface or 
о through kernel vulnerability. 


Implement bootloader for custom firmware 

and minimal bringup firmware. 

Add Ех! support to openocd 

Clone Intel CCA 

Research post-boot power management: Sleep, Reboot, Shutdown 
Research PMC firmware 

Research other peripherals 
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Cloning the CCA N 


Debugging Intel systems: 
BSSB physical layer 
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Debugging Intel systems: 
BSSB physical layer 
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BSSB waveforms: Sync 
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BSSB DO (to DUT) sampled on BSSB CLK falling edge, data order LSb first 
Sync word is 0х0001 


BSSB waveforms: First DUT->Host packet 
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BSSB DI (from DUT) sampled on BSSB CLK rising edge, data order LSb first 


BSSB packets 


e 64bytes long 
e Little Endian 
e Same protocol as USB based Exl 
o ССА does handle some vendor requests 


Outbound Ex! packets 


e DUT to Host 
e Payload length only sent if E(xtended Header) is set 


31 30 29 28 27 26 25 24 23 22 2120 19 18 17 16 15 14 13 12 11109 8 
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PAYLOAD LENGTH 


Inbound Exl packets 


e Host to DUT 
e Payload length only sent if E(xtended Header) is set 


31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 43 2 1 0 
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ROM API 
Entrypoints 
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birt ономе Е о 
bit омо elr meb 
bit Count ego ones 


bit se anci 
base size 
base64 dec 
sh164 

shr 564 

shr 1164 

mul 564 
div64 

mod64 

write Ва 
weite seg 16 
write seg & 
reac! seg 32 
real seg 16 
read seg 8 
write seg 
геаа Seg 
eee 


memcmp_ ct 


Useful filenames 


system studio 2016.1.028.exe 


system studio 2016.2.040.exe 

system studio 2016.3.043.exe 

system studio 2016.4.046.exe 

system studio 2017.1.045.exe 

system studio 2017.2.050.exe 

system studio 2017.3.057.exe 

system studio 2017 beta.0.028.exe 

system studio 2019.0.033 ultimate edition windows target.exe 
system studio 2019.1.050 ultimate edition windows target. exe 
system studio 2019.2.057 ultimate edition windows target.exe 
system studio 2019.4.077 ultimate edition windows target. ехе 
system studio 2019 beta.0.014 ultimate edition windows target.exe 


system studio 2019 update 3 ultimate edition.exe 


w cembd 2014.0.026.exe 


w cembd p 2013.0.013.exe 


